rbac default/unknown role set confusion

I was testing this and realised that role sets described in ARM as:

default-role: the configuration of the default role (used when “” is assigned).
unknown-role: the configuration of the unknown role (used when the not-empty assigned role has no configuration).

may not working as planned.

1. I'm not sure when role “” for default-role should be assigned because:

• when assign-role-method is remote-address incoming command will always have source address, if there is no role configured to it's address it will be assigned to unknown
• when assign-role-method is set to cert-subject or cert-issuer certificate will always have CN value, so role will always be assigned and if that won't be defined in - unknown role is used
• when assign-role-method is set to basic-authentication and client will not provide user and password defined in authentication part of Control Agent configuration it will be dropped even before it reach RBAC logic, and if client will provide correct credentials but no role is configured for it - it will end up in unknown-role

2. logs in Control Agent is not even differentiate between those two roles: RBAC_TRACE_AUTH_REJECT Role configuration 'unknown/reject' for role 'not_kea_client' has rejected command 'status-get'.

3. There is no clear statement what default configuration of default-role and unknown-role are.

So what am I missing? Or splitting default-role and unknown-role is not really needed?